On Fri, Mar 17, 2017 at 11:46 AM, Viktor Dukhovni <[email protected]> wrote:
> > > On Mar 17, 2017, at 2:20 PM, Paul Hoffman <[email protected]> wrote: > > > >> Is this because you're worried about the parent removing evidence of > DNSSEC > >> for the child in the spoofing scenario? > > > > No, this is because the parent can spoof any data for the child. It is > unrelated to DNSSEC. > > With qname minimization, the parent will first need to deny an NS > RRset for the child, and those DOE records are better candidates > for logging than routine non-NS queries. Can you expand on how the the DOE record (which I assumes means denial-of-existance) could work with an adversarial parent? The only approach I can think of is some sort of UI support which isn't very compelling. (Perhaps monitors but alas I not really up-to-date where things are at with monitors and gossip) > So logging can be limited > to NS/DS queries, but that still leaves us with the problem of how > to avoid logging non-existence of NS/DS for all the sundry leaf > nodes. The public suffix list might be a useful resource here... > I agree. -Wei > > -- > Viktor. > > _______________________________________________ > Trans mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/trans >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
